def testOutput(self):
"""Tests the Output function."""
test_filename = os.path.join(u'test_data', u'psort_test.json.plaso')
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'pstorage.plaso')
storage_file = storage_zip_file.StorageFile(test_filename,
read_only=True)
with storage_zip_file.ZIPStorageFileReader(
storage_file) as storage_reader:
output_mediator = self._CreateOutputMediator(
storage_file=storage_file)
output_module = pstorage.PlasoStorageOutputModule(
output_mediator)
output_module.SetFilePath(temp_file)
with event_buffer.EventBuffer(
output_module, check_dedups=False) as output_buffer:
for event_object in storage_reader.GetEvents():
output_buffer.Append(event_object)
original_zip_file = storage_zip_file.StorageFile(test_filename,
read_only=True)
pstorage_zip_file = storage_zip_file.StorageFile(temp_file,
read_only=True)
original_list = []
pstorage_list = []
event_object_original = original_zip_file.GetSortedEntry()
event_object_pstorage = pstorage_zip_file.GetSortedEntry()
while event_object_original:
original_equality_string = event_object_original.EqualityString(
)
pstorage_equality_string = event_object_pstorage.EqualityString(
)
# Remove the UUID for comparision.
original_equality_string, _, _ = original_equality_string.rpartition(
u'|')
pstorage_equality_string, _, _ = pstorage_equality_string.rpartition(
u'|')
original_list.append(original_equality_string)
pstorage_list.append(pstorage_equality_string)
event_object_original = original_zip_file.GetSortedEntry()
event_object_pstorage = pstorage_zip_file.GetSortedEntry()
self.assertFalse(event_object_pstorage)
for original_str, dump_str in zip(sorted(original_list),
sorted(pstorage_list)):
self.assertEqual(original_str, dump_str)
def testOutput(self):
"""Testing if psort can output data."""
formatters_manager.FormattersManager.RegisterFormatter(
PsortTestEventFormatter)
events = [
PsortTestEvent(5134324321),
PsortTestEvent(2134324321),
PsortTestEvent(9134324321),
PsortTestEvent(15134324321),
PsortTestEvent(5134324322),
PsortTestEvent(5134024321)]
output_writer = cli_test_lib.TestOutputWriter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'plaso.db')
storage_file = storage_zip_file.StorageFile(temp_file)
storage_file.AddEventObjects(events)
storage_file.Close()
with storage_zip_file.StorageFile(
temp_file, read_only=True) as storage_file:
output_mediator_object = output_mediator.OutputMediator(
self._formatter_mediator)
output_mediator_object.SetStorageFile(storage_file)
output_module = TestOutputModule(output_mediator_object)
output_module.SetOutputWriter(output_writer)
event_buffer = TestEventBuffer(
output_module, check_dedups=False, store=storage_file)
self._front_end.ProcessEventsFromStorage(storage_file, event_buffer)
event_buffer.Flush()
lines = []
output = output_writer.ReadOutput()
for line in output.split(b'\n'):
if line == b'.':
continue
if line:
lines.append(line)
# One more line than events (header row).
self.assertEqual(len(lines), 7)
self.assertTrue(b'My text goes along: My text dude. lines' in lines[2])
self.assertTrue(b'LOG/' in lines[2])
self.assertTrue(b'None in Particular' in lines[2])
self.assertEqual(lines[0], (
b'date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,'
b'version,filename,inode,notes,format,extra'))
formatters_manager.FormattersManager.DeregisterFormatter(
PsortTestEventFormatter)
def testWriteStream(self):
"""Tests the _WriteStream function."""
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
storage_file = zip_file.StorageFile(temp_file)
storage_file._WriteStream(u'bogus', b'test')
storage_file.Close()
storage_file = zip_file.StorageFile(temp_file, read_only=True)
stream_data = storage_file._ReadStream(u'bogus')
self.assertEqual(stream_data, b'test')
storage_file.Close()
def testProcessSources(self):
"""Tests the ProcessSources function."""
test_front_end = extraction_frontend.ExtractionFrontend()
test_file = self._GetTestFilePath([u'ímynd.dd'])
volume_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK, location=u'/',
parent=volume_path_spec)
source_type = dfvfs_definitions.SOURCE_TYPE_STORAGE_MEDIA_IMAGE
with shared_test_lib.TempDirectory() as temp_directory:
storage_file_path = os.path.join(temp_directory, u'plaso.db')
test_front_end.SetStorageFile(storage_file_path=storage_file_path)
test_front_end.ProcessSources([path_spec], source_type)
try:
storage_file = storage_zip_file.StorageFile(
storage_file_path, read_only=True)
except IOError:
self.fail(u'Unable to open storage file after processing.')
# Make sure we can read events from the storage.
event_object = storage_file.GetSortedEntry()
self.assertIsNotNone(event_object)
self.assertGreaterEqual(event_object.data_type, u'fs:stat')
self.assertGreaterEqual(event_object.filename, u'/lost+found')
def testProcessSourcesFilestat(self):
"""Test if the filestat and other parsers ran."""
options = cli_test_lib.TestOptions()
options.quiet = True
options.parsers = u'filestat,pe'
options.single_process = True
options.status_view_mode = u'none'
options.source = self._GetTestFilePath([u'test_pe.exe'])
with shared_test_lib.TempDirectory() as temp_directory:
options.output = os.path.join(temp_directory, u'storage.plaso')
self._test_tool.ParseOptions(options)
self._test_tool.ProcessSources()
try:
storage_file = storage_zip_file.StorageFile(options.output,
read_only=True)
except IOError as exception:
self.fail((
u'Unable to open storage file after processing with error: '
u'{0:s}.').format(exception))
event_objects = []
event_object = storage_file.GetSortedEntry()
while event_object:
event_objects.append(event_objects)
event_object = storage_file.GetSortedEntry()
# There should be 3 filestat and 3 pe parser generated events.
self.assertEquals(len(event_objects), 6)
def testRun(self):
"""Tests the Run function."""
test_file = self._GetTestFilePath([u'storage.json.plaso'])
storage_object = storage_zip_file.StorageFile(
test_file, read_only=True)
test_path_spec_queue = single_process.SingleProcessQueue()
test_collector = engine.PathSpecQueueProducer(
test_path_spec_queue, storage_object)
test_collector.Run()
test_collector_queue_consumer = TestPathSpecQueueConsumer(
test_path_spec_queue)
test_collector_queue_consumer.ConsumeItems()
self.assertEqual(test_collector_queue_consumer.number_of_path_specs, 2)
expected_path_specs = [
u'type: OS, location: /tmp/test/test_data/syslog\n',
u'type: OS, location: /tmp/test/test_data/syslog\n']
path_specs = []
for path_spec_object in test_collector_queue_consumer.path_specs:
path_specs.append(path_spec_object.comparable)
self.assertEqual(sorted(path_specs), sorted(expected_path_specs))
def testHasAnalysisReports(self):
"""Tests the HasAnalysisReports function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
has_reports = storage_file.HasAnalysisReports()
self.assertTrue(has_reports)
storage_file.Close()
test_file = self._GetTestFilePath([u'pinfo_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
has_reports = storage_file.HasAnalysisReports()
self.assertFalse(has_reports)
storage_file.Close()
def testHasReports(self):
"""Tests the HasReports function."""
test_file = self._GetTestFilePath([u'psort_test.proto.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
self.assertFalse(storage_file.HasReports())
storage_file.Close()
def testGetSerializedEventObjectStream(self):
"""Tests the _GetSerializedEventObjectStream function."""
test_file = self._GetTestFilePath([u'psort_test.proto.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
data_stream = storage_file._GetSerializedEventObjectStream(3)
self.assertIsNotNone(data_stream)
storage_file.Close()
def testGetSerializedEventObjectOffsetTable(self):
"""Tests the _GetSerializedEventObjectOffsetTable function."""
test_file = self._GetTestFilePath([u'psort_test.proto.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
offset_table = storage_file._GetSerializedEventObjectOffsetTable(3)
self.assertIsNotNone(offset_table)
storage_file.Close()
def testHasStream(self):
"""Tests the _HasStream function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
self.assertTrue(storage_file._HasStream(u'plaso_timestamps.000002'))
self.assertFalse(storage_file._HasStream(u'bogus'))
storage_file.Close()
def testHasEventTags(self):
"""Tests the HasEventTags function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
self.assertFalse(storage_file.HasEventTags())
storage_file.Close()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
self._CreateTestStorageFileWithTags(temp_file)
storage_file = zip_file.StorageFile(temp_file, read_only=True)
self.assertTrue(storage_file.HasEventTags())
storage_file.Close()
def testGetStorageInformation(self):
"""Tests the GetStorageInformation function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
storage_information = storage_file.GetStorageInformation()
self.assertEqual(len(storage_information), 2)
storage_file.Close()
def testGetStreamNames(self):
"""Tests the _GetStreamNames function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
stream_names = list(storage_file._GetStreamNames())
self.assertEqual(len(stream_names), 11)
storage_file.Close()
def testGetSerializedEventTimestampTable(self):
"""Tests the _GetSerializedEventTimestampTable function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
timestamp_table = storage_file._GetSerializedEventTimestampTable(2)
self.assertIsNotNone(timestamp_table)
storage_file.Close()
def testGetSerializedEventStreamNumbers(self):
"""Tests the _GetSerializedEventStreamNumbers function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
stream_numbers = storage_file._GetSerializedEventStreamNumbers()
self.assertEqual(len(stream_numbers), 2)
storage_file.Close()
def testOutput(self):
"""Tests the Output function."""
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'pstorage.plaso')
# Copy events to pstorage dump.
storage_file = storage_zip_file.StorageFile(self._test_filename,
read_only=True)
with storage_zip_file.ZIPStorageFileReader(
storage_file) as storage_reader:
output_mediator = self._CreateOutputMediator(
storage_file=storage_file)
output_module = pstorage.PlasoStorageOutputModule(
output_mediator)
output_module.SetFilePath(temp_file)
with event_buffer.EventBuffer(
output_module, check_dedups=False) as output_buffer:
for event_object in storage_reader.GetEvents():
output_buffer.Append(event_object)
# Make sure original and dump have the same events.
original = storage_zip_file.StorageFile(self._test_filename,
read_only=True)
dump = storage_zip_file.StorageFile(temp_file, read_only=True)
event_object_original = original.GetSortedEntry()
event_object_dump = dump.GetSortedEntry()
original_list = []
dump_list = []
while event_object_original:
original_list.append(event_object_original.EqualityString())
dump_list.append(event_object_dump.EqualityString())
event_object_original = original.GetSortedEntry()
event_object_dump = dump.GetSortedEntry()
self.assertFalse(event_object_dump)
for original_str, dump_str in zip(sorted(original_list),
sorted(dump_list)):
self.assertEqual(original_str, dump_str)
def testGetAnalysisReports(self):
"""Tests the GetAnalysisReports function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
analysis_reports = list(storage_file.GetAnalysisReports())
self.assertEqual(len(analysis_reports), 2)
storage_file.Close()
test_file = self._GetTestFilePath([u'pinfo_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
analysis_reports = list(storage_file.GetAnalysisReports())
self.assertEqual(len(analysis_reports), 0)
storage_file.Close()
def _Open(self):
"""Opens the storage writer."""
self._storage_file = storage_zip_file.StorageFile(
self._output_file,
buffer_size=self._buffer_size,
pre_obj=self._pre_obj,
serializer_format=self._serializer_format)
self._storage_file.SetEnableProfiling(
self._enable_profiling, profiling_type=self._profiling_type)
def testGetEventSources(self):
"""Tests the GetEventSources function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
event_sources = list(storage_file.GetEventSources())
self.assertEqual(len(event_sources), 0)
storage_file.Close()
test_file = self._GetTestFilePath([u'pinfo_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
event_sources = list(storage_file.GetEventSources())
self.assertEqual(len(event_sources), 0)
storage_file.Close()
def testAddEventObjects(self):
"""Tests the AddEventObjects function."""
test_event_objects = test_lib.CreateTestEventObjects()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'plaso.db')
storage_file = zip_file.StorageFile(temp_file)
storage_file.AddEventObjects(test_event_objects)
storage_file.Close()
def testWritePreprocessObject(self):
"""Tests the WritePreprocessObject function."""
preprocessing_object = event.PreprocessObject()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
storage_file = zip_file.StorageFile(temp_file)
storage_file.WritePreprocessObject(preprocessing_object)
storage_file.Close()
def testGetSerializedEventSourceStream(self):
"""Tests the _GetSerializedEventSourceStream function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
# TODO: add positive test.
with self.assertRaises(IOError):
storage_file._GetSerializedEventSourceStream(99)
storage_file.Close()
def testGetSerializedEventStream(self):
"""Tests the _GetSerializedEventStream function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
data_stream = storage_file._GetSerializedEventStream(2)
self.assertIsNotNone(data_stream)
with self.assertRaises(IOError):
storage_file._GetSerializedEventStream(99)
storage_file.Close()
def testStoreReport(self):
"""Tests the StoreReport function."""
analysis_report = reports.AnalysisReport(
plugin_name=u'test', text=u'test report')
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
storage_file = zip_file.StorageFile(temp_file)
storage_file.StoreReport(analysis_report)
storage_file.Close()
def testOpenStream(self):
"""Tests the _OpenStream function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
file_object = storage_file._OpenStream(u'plaso_timestamps.000002')
self.assertIsNotNone(file_object)
file_object = storage_file._OpenStream(u'bogus')
self.assertIsNone(file_object)
storage_file.Close()
def testReadStream(self):
"""Tests the _ReadStream function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
stream_data = storage_file._ReadStream(u'plaso_timestamps.000002')
self.assertNotEqual(stream_data, b'')
stream_data = storage_file._ReadStream(u'bogus')
self.assertEqual(stream_data, b'')
storage_file.Close()
def testGetSerializedEventOffsetTable(self):
"""Tests the _GetSerializedEventOffsetTable function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
offset_table = storage_file._GetSerializedEventOffsetTable(2)
self.assertIsNotNone(offset_table)
with self.assertRaises(IOError):
storage_file._GetSerializedEventOffsetTable(99)
storage_file.Close()
def testAddEventObject(self):
"""Tests the AddEventObject function."""
event_objects = test_lib.CreateTestEventObjects()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
storage_file = zip_file.StorageFile(temp_file)
for event_object in event_objects:
storage_file.AddEventObject(event_object)
storage_file.Close()
def testGetSortedEntry(self):
"""Tests the GetSortedEntry function."""
test_file = self._GetTestFilePath([u'psort_test.json.plaso'])
storage_file = zip_file.StorageFile(test_file, read_only=True)
expected_timestamp = 1453449153000000
event_object = storage_file.GetSortedEntry()
self.assertEqual(event_object.timestamp, expected_timestamp)
# Test lower bound time range filter.
test_time_range = time_range.TimeRange(
timelib.Timestamp.CopyFromString(u'2016-04-30 06:41:49'),
timelib.Timestamp.CopyFromString(u'2030-12-31 23:59:59'))
storage_file.Close()
storage_file = zip_file.StorageFile(test_file, read_only=True)
expected_timestamp = 1462105168000000
event_object = storage_file.GetSortedEntry(time_range=test_time_range)
self.assertEqual(event_object.timestamp, expected_timestamp)
# Test upper bound time range filter.
test_time_range = time_range.TimeRange(
timelib.Timestamp.CopyFromString(u'2000-01-01 00:00:00'),
timelib.Timestamp.CopyFromString(u'2016-04-30 06:41:49'))
storage_file.Close()
storage_file = zip_file.StorageFile(test_file, read_only=True)
expected_timestamp = 1453449153000000
event_object = storage_file.GetSortedEntry(time_range=test_time_range)
self.assertEqual(event_object.timestamp, expected_timestamp)
storage_file.Close()
